Browsers allow extensions to inject code, manipulate the DOM, etc.

Over the years, I have noticed lots and various uncaught errors (using window.onerror) on a website (app) I am watching, generated by unknown browser extensions on Firefox, Chrome and Internet Explorer (all versions).

These errors didn’t seem to be interrupting anything. Now I want to increase the security of this website, because it will start processing credit cards. I have seen with my own eyes malware/spyware infecting browsers with modified browser extensions (innocent browser extension, modified to report to attackers/script kiddies) working as keyloggers (using trivial onkey* event handlers, or just input.value checks).

Is there a way (meta tag, etc.) to inform a browser to disallow code injection or reading the DOM, standard or non-standard? The webpage is already SSL, yet this doesn’t seem to matter (as in give a hint to the browser to activate stricter security for extensions).

.

Possible workarounds (kind of a stretch vs. a simple meta tag) suggested by others or off the top of my head:

• Virtual keyboard for entering numbers + non textual inputs (aka img for digits)
• remote desktop using Flash (someone suggested HTML5, yet that doesn’t solve the browser extension listening on keyboard events; only Flash, Java, etc. can).
• Very complex Javascript based protection (removes non white listed event listeners, in-memory input values along with inputs protected with actual asterix characters, etc.) (not feasible, unless it already exists)
• Browser extension with the role of an antivirus or which could somehow protect a specific webpage (this is not feasible, maybe not even possible without creating a huge array of problems)

Edit: Google Chrome disables extensions in Incognito Mode, however, there is no standard way to detect or automatically enable Incognito Mode and so a permanent warning must be displayed.